• United States




What is the CCPA and why should you care?

Aug 02, 20198 mins

CCPA is the law and the only way for a business to opt-out of it is to go out of business. For businesses that want to stay in business, however, CCPA is just the beginning of things to come.

California Consumer Privacy Act  / CCPA  >  State flag superimposed on map and satellite view
Credit: GGuy44 / Skegbydave / Getty Images

California is a big state. It’s so huge in fact, that if it was a country, with its nearly 40 million residents, it would have the fifth largest economy in the world, only behind the United States, China, Japan and Germany. With that much power, what happens in California affects the world.

On January 1, 2020, many businesses will start feeling the aftershocks of what will emanate from the Golden State, when the earthquake known as the California Consumer Privacy Act (CCPA) goes into effect.

If you are familiar with the General Data Protection Regulation (GDPR) from the European Union, then the CCPA will be elementary. Here’s a handy CCPA and GDPR comparison guide from the Future of Privacy Forum. But simply put, CCPA will be the toughest data privacy law in the United States. Let that sink in.

What the CCPA attempts to do is provide enhanced privacy rights and consumer protection for California residents. It gives California residents significant rights around their data. Some of the new rights they have include:

  1. Business must disclose the persona data collected, sold, or disclosed for a business purpose about a consumer. And also inform consumers the categories of personal data collected and the purposes for which their personal data will be used.
  2. Not to discriminate against a consumer who exercises their CCPA rights. That runs the gamut from pricing, quality, service levels and more.
  3. Provide the consumer with access to their data.
  4. Upon request, delete personal data of the consumer. If you have shared that personal data with a 3rd-party, they must also delete that data.
  5. Provide the consumer with the ability to opt-out. You must give them the right to opt out of the sale of their personal data. Part of this includes easy to use links to do that from your web site.

The CCPA may apply to you if you are a business that collects the personal data of California consumers and does business in California. To that, there are a huge number of businesses that are now in scope. If you are one of those businesses, then each of those 5 items listed means you have a lot of work to do.

And even if you don’t directly deal with California consumers, you may be a third-party who does, or be part of a subsidiary or affiliate who is. The firm you service may be in scope for CCPA, which may create downstream requirements such that you will have to deal with CCPA.

Newton’s Third Law of motion states that for every action, there is an equal and opposite reaction. When it comes to CCPA – for every consumer right, there is an equal and opposite set of complex processes and actions that you need to have in place to be compliant. And there’s a lot of rights in CCPA.

Just what is personal data under CCPA?

Since personal data is what drives everything, it’s crucial to fully understand what CCPA considers personal data. Like GDPR, CCPA takes a far-reaching approach to what it regards as personal data. The specific details of which are in section 1798.140(o)(1) of the bill, where it defines there personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

That section includes the standard identifiers such as name, address, passport number, social security number, driver’s license number, and much more. But it also extends into other information such as biometric data, audio, electronic, visual, thermal, olfactory, or similar information, Internet or other electronic network activity information, geolocation data, and lots more. And I mean lots, lots more. In fact, it might be easier at first to say what’s not personal data, that to define what is.

CCPA is the big Kahuna of privacy laws

Simply put, CCPA is creating a massive amount of work for in scope firms. It’s August 2019 and at this point, your CCPA initiatives should be completed, and testing done. 

For the 95% of the firms that are not there, here’s some of what CCPA means to you (and please note, these are but a few of the very many things that must be done):

  • Data discovery. Do you know all of the ingress and egress points where personal data is within your organization? Do you have a listing of every data store where CCPA personal data is being stored? This aspect alone if a huge endeavor. 20 years ago, the Y2K issue caused similar angina, and that was but for two digits. That change was simple, change the year field from xx to xxxx. But it was the underlying Y2K logistics that was a nightmare. If only CCPA was that simple.
  • Data types. now that you know the countless locations where personal data is stored, do you have a catalog of all the various types of personal data stored? CCPA has a broad definition of what constitutes personal data. There’s the standard stuff, but it also extends to IP addresses, email address, and any other piece of data that can be correlated or related to an association with that person. If you understand big data, then you understand how very broad CCPA personal data entails.
  • Privacy policy. Update your privacy policy to explicitly mention CCPA and include the mandatory privacy disclosure it mandates. CCPA is quite broad and your privacy policy will have to reflect that.
  • Households. While the GDPR dealt with individuals, CCPA creates the notion of a Most articles at this point would define a term and I’d love to do the same for household. But CCPA has of yet, not defined what a household is. I’m not joking, the CCPA makes you do something, but doesn’t tell you what that something is. With some license to Potter Stewart, how will you know a household when you see it? The only advice I can give you at this point is to use the broadest application possible as part of your compliance efforts. Work with your legal counsel to determine that level.
  • Get ready for enforcement. CCPA goes live January 1, but like GDPR, there won’t be any enforcement for 6 months. While that means enforcement is about a year away, that is still a very short amount of time for complex organizations with a lot of consumer data.

Start working on CCPA compliance

For any business of substantial size, it’s highly likely that they are in scope for CCPA. For those that are not, they shouldn’t necessarily sit and do nothing. As goes California, so goes many other states. With that, there are a number of other states that are considering implementing similar consumer privacy claws. Rather than wait until the last minute, be judicious and start planning for the inevitable.

Finally, don’t even think for a minute of trying to play wait and see with CCPA. It’s not going away, and hoping it does is a foolish business decision. The EU recently fined British Airways $230 million for GDPR violations. The State of California will have similar enforcement capabilities. CCPA is not poker and there’s no way to bluff yourself out of it.

CCPA trickles down to other areas

With every new law, regulation or standard, there are the details that one must comply with, in addition to repercussions of those issues. That alone could fill a few articles

One of those areas to consider is if your insurance policies will protect you for CCPA related issues. CCPA has a major effect in that area, and some of the areas you need to get your insurance department involved in, which includes professional liability/E&O, directors & officer’s policies, cyber-insurance, employment practices liability, and other areas.

A part of your CCPA readiness assessment, ensure that all of the areas where CCPA can impact are identified and brought up to compliance.

Like the state, CCPA is huge. Read the details and it’s easy to see that CCPA requires firms to make major infrastructure changes. CCPA mandates a significant amount of new processes around data collection. It requires significant reengineering and rearchitecture how personal data is handled. And like the mountain of the same name in California, CCPA is mammoth.

If you think you are in scope for CCPA, take a few days to read everything you can on the topic. The more educated you are about the act, the better you can deal with it. 

For any large and complex organization, compliance with CCPA is a project measured in years. While consumers can opt-out, CCPA is a law and the only way for a business to opt-out of it is to go out of business. For businesses that want to stay in business, CCPA is just the beginning of things to come.


Ben Rothke, CISSP, CISM, CISA is a Senior Information Security Manager at Tapad has over 20 years of industry experience in information systems security and privacy. He’s the co-author of the recently published book - The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management.